Users of Plex, the media server and streaming platform, are being urged to change their passwords “immediately” and sign out of any connected devices following what the company calls a “security incident” that could involve user information, including “emails, usernames, securely hashed passwords and authentication data.”
According to a post from the company, “an unauthorized third party” gained access to one of the company’s databases, potentially exposing user data.
How many breaches is too many?
Thankfully, Plex says user passwords are “securely hashed, in accordance with best practices,” meaning even if the unauthorised third party managed to take a peep, they’d only see a string of jumbled characters. Not the jumbled characters making up your Google-suggested password, a different set.
While it may be technically possible to brute-force some of the shorter, basic passwords, this probably isn’t what the unauthorised third party wants to do with their free time. Still, this is a great excuse to strengthen your OPSEC and change those passwords (and enable 2FA if you haven’t already.)
The company says user credit card data was not part of the accessed data, as it is not stored on its servers.
Read More: Plex user? Best change your login password immediately
Following the breach, Plex says it has already “addressed” the method that the attacker used and that it is “undergoing additional reviews to ensure that the security of all of [its] systems is further strengthened to prevent future attacks.” If it hadn’t suffered a similar attack in 2022, that might be enough. Now, we’re not so sure.
Good thing there’s a free and open-source alternative available — Jellyfin. It might not have all of the same features as Plex, but at least its security history isn’t as breachy. And it won’t bug you every ten seconds to upgrade to a paid account.
